import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.regex.Pattern;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
}
}
zipFile = new ZipInputStream(new BufferedInputStream(zipFileStream));
- final ZipEntry zipEntry = zipFile.getNextEntry();
- Log.d(LOG, "Unzipping entry: " + zipEntry.getName());
- File targetFile = new File(application.getDictDir(), zipEntry.getName());
- if (targetFile.exists()) {
- targetFile.renameTo(new File(targetFile.getAbsolutePath().replace(".quickdic", ".bak.quickdic")));
- targetFile = new File(application.getDictDir(), zipEntry.getName());
+ ZipEntry zipEntry;
+ while ((zipEntry = zipFile.getNextEntry()) != null) {
+ // Note: this check prevents security issues like accidental path
+ // traversal, which unfortunately ZipInputStream has no protection against.
+ // So take extra care when changing it.
+ if (!Pattern.matches("[-A-Za-z]+\\.quickdic", zipEntry.getName())) {
+ Log.w(LOG, "Invalid zip entry: " + zipEntry.getName());
+ continue;
+ }
+ Log.d(LOG, "Unzipping entry: " + zipEntry.getName());
+ File targetFile = new File(application.getDictDir(), zipEntry.getName());
+ if (targetFile.exists()) {
+ targetFile.renameTo(new File(targetFile.getAbsolutePath().replace(".quickdic", ".bak.quickdic")));
+ targetFile = new File(application.getDictDir(), zipEntry.getName());
+ }
+ zipOut = new FileOutputStream(targetFile);
+ copyStream(zipFile, zipOut);
}
- zipOut = new FileOutputStream(targetFile);
- copyStream(zipFile, zipOut);
application.backgroundUpdateDictionaries(dictionaryUpdater);
if (!isFinishing())
Toast.makeText(context, getString(R.string.installationFinished, dest),
} finally {
try {
if (zipOut != null) zipOut.close();
- } catch (IOException e) {}
+ } catch (IOException ignored) {}
try {
if (zipFile != null) zipFile.close();
- } catch (IOException e) {}
+ } catch (IOException ignored) {}
try {
if (zipFileStream != null) zipFileStream.close();
- } catch (IOException e) {}
- if (localZipFile != null && delete) localZipFile.delete();
+ } catch (IOException ignored) {}
+ if (localZipFile != null && delete) //noinspection ResultOfMethodCallIgnored
+ localZipFile.delete();
}
return result;
}
DownloadManager downloadManager = (DownloadManager) getSystemService(DOWNLOAD_SERVICE);
+ if (downloadManager == null) {
+ String msg = getString(R.string.downloadManagerQueryFailed);
+ new AlertDialog.Builder(DictionaryManagerActivity.this).setTitle(getString(R.string.error))
+ .setMessage(getString(R.string.downloadFailed, msg))
+ .setNeutralButton("Close", null).show();
+ return;
+ }
+
try {
downloadManager.enqueue(request);
} catch (SecurityException e) {